CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 28, 2026

Dutch Raid Fails to Dent Russian Bulletproof Host

Dark Reading Archived May 28, 2026 ✓ Full text saved

Dutch law enforcement seized 800 servers and arrested two operators of THE.Hosting but left the hosting provider's core IP address space intact.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBER RISK CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE NEWS Dutch Raid Fails to Dent Russian Bulletproof Host Dutch law enforcement seized 800 servers and arrested two operators of THE.Hosting but left the hosting provider's core IP address space intact. Jai Vijayan,Contributing Writer May 28, 2026 4 Min Read SOURCE: VIKTOLLIO VIA SHUTTERSTOCK A recent Dutch law enforcement operation to dismantle a bulletproof hosting network appears to have done little to disrupt its ongoing malicious activity, highlighting the resilience of modern cybercriminal infrastructure against takedown efforts. On May 18, the Netherlands Ministry of Finance's fiscal crime service (FIOD) seized more than 800 servers and arrested two people connected to THE.Hosting, a network tied to Russian cybercrime and influence operations in the European Union.  THE.Hosting Scanning Activity Continues Unabated But more than a week later, scanning activity from the network has remained at almost the same levels as before, according to researchers at Prague-based threat intelligence firm ELLIO. "The traffic is broad, opportunistic attack and botnet-building," ELLIO said in a report this week. "It recruits Internet-of-Things devices into botnets, drops cryptominers and self-replicating bots, steals cloud credentials, exploits exposed web applications, and abuses proxy capacity to attack third parties." Related:Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security THE.Hosting is the latest incarnation of a bulletproof hosting network that researchers trace back to infrastructure originally controlled by a Russian individual registrant in 2022. Shortly after Russia invaded Ukraine in February 2022, the individual transferred the network's autonomous system number (ASN), AS44477, to a newly incorporated company called Stark Industries Solution. An ASN is a number assigned to a network's block of IP addresses that tells the rest of the Internet how to route traffic to and from those addresses. When the EU sanctioned Stark Industries in 2025, the operators transferred AS44477 to another newly created entity called PQ Hosting Plus S.R.L. They later rebranded it yet again, to THE.Hosting, and moved operations to a new network, AS209847, under a Dutch company called WorkTitans B.V. The net effect of all the maneuvering was having a Russian bulletproof hosting network sitting inside EU data centers with traffic reaching the Internet from a legitimate Dutch company rather than Russian, ELLIO said. "The company history reads like a relay race run to stay ahead of sanctions," the threat intelligence firm said in an accompanying blog post. "In our honeypot telemetry, this corporate relay shows up cleanly as a migration across autonomous systems, the numbered networks that announce IP address space to the internet." The old Stark/PQ network drove the scanning through the summer of 2025, according to ELLIO, and "threw one last enormous punch" on Aug. 30. After it faded, THE.Hosting suddenly ramped up in its place, generating more two million scanning sessions per month in November and December 2025. Related:Verizon DBIR: Healthcare Fends Off Increased Social Engineering Attacks A Resilient and Resourceful Adversary A bulletproof hosting (BPH) service knowingly provides its infrastructure for cybercriminals, ransomware operators and other threat actors. The services typically operate across multiple jurisdictions, ignore abuse complaints, and don't cooperate with law enforcement, making it difficult for authorities to take action against the criminals renting their infrastructure. Cybercriminals use such services to host malware, run botnets, distribute spam, and conduct cyberattacks while avoiding take down efforts. According to ELLIO, threat actors using the old Stark/PQ network were mainly focused on finding systems with weak or default passwords across services like web servers, SSH access, FTP file transfer, and Windows file shares.  The scanning activity associated with THE.Hosting's is broader and more concerning because it involves databases and industrial control systems (ICS). ELLIO researchers said they observed probes for exposed MongoDB, Redis, PostgreSQL, and Oracle databases alongside scans for DNP3 and EtherNet/IP, which are protocols commonly associated with power grids, water systems, and other industrial facilities. Related:Content Delivery Exploit Opens Websites to Brand Hijacking Vlad Iliushin, CEO of ELLIO, says the operators of Stark Industries, PQ Hosting and THE.Hosting have been publicly tied to repeated distributed denial-of-service (DDoS) attacks on European critical infrastructure. They have also been linked to disinformation campaigns, including activity attributed to the pro-Russian group NoName057(16) and the attacks on Danish government systems during the November 2025 elections.  Iliushin points to two reasons why the recent Dutch law enforcement operation has had little effect on THE.Hosting. First, taking physical servers off the rack doesn't take away the address space those servers were using, he says.  "The blocks are still allocated to the operator by the Regional Internet Registry for Europe, [are] still announced via BGP, and as soon as the operator puts new hardware behind those addresses in another data center, in another country, the scanning resumes," Iliushin says, adding that Dutch authorities seized things they could legally seize but there was no BGP blackholing, he says. The other reason is that THE.Hosting's address blocks, registered under the Dutch firm WorkTitans B.V., are geolocated across the Netherlands, the United States, Germany, Finland, Turkey, the UK, France, Moldova, Poland, Kazakhstan, Czechia and Latvia. "So, the scans we observe are originating from the address blocks assigned to AS209847 but are not necessarily coming from the Netherlands," he says. The best-case scenario for taking down an operation like THE.Hosting would be collaboration between law enforcement agencies across the European Union and US and to blackhole all address spaces belonging to AS209847, Iliushin notes.  "The FIOD raided servers in Dutch data centers, which means the infrastructure hosted by THE.Hosting and its customers in the Netherlands was affected," he says. "[But] just like legitimate hosting providers, THE.Hosting is reselling VPS in multiple countries, not only in the Netherlands. Infrastructure hosted in other countries is unaffected." About the Author Jai Vijayan Contributing Writer Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.  Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.  Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications. His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.   Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    May 28, 2026
    Archived
    May 28, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗